Re: [fw-wiz] Pix VPN endpoint and split-tunnel
From: Greg Spath (gkspath_at_armstrong.com)
Date: 10/17/05
- Previous message: Charlie Winckless: "RE: [fw-wiz] Pix VPN endpoint and split-tunnel"
- In reply to: Paul Melson: "RE: [fw-wiz] Pix VPN endpoint and split-tunnel"
- Next in thread: Hughes, Chris: "RE: [fw-wiz] Pix VPN endpoint and split-tunnel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Mon, 17 Oct 2005 16:31:37 -0400
On Wed, 12 Oct 2005 10:45:10 -0400
"Paul Melson" <pmelson@gmail.com> wrote:
> -----Original Message-----
> Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
>
> > I am trying to configure a cisco pix as a vpn endpoint for the
> > cisco vpn
> client and
> > would like to force the client to use the corporate network for
> > internet
> access. I
> > don't want to allow split-tunnel. I cant find any info on how to
> > do this.
> Is split
> > tunnel the only way to give a vpn client internet access once they
> > are
> connected?
>
> The short answer is yes. PIX-fu rule #1: the PIX is not a router.
> It can't take traffic that arrives on one interface and pass it back
> out that same interface, even when the traffic arrives via VPN
> tunnel. That said, you can sort of solve this problem by having the
> clients use a proxy server while connected via full tunnel. There
> may or may not be an elegant way to automate this for your road
> warriors, but this would really be independent of anything the PIX or
> VPN client do. (Think login scripts, Group Policy, etc.)
Not being a PIX admin, I didn't want to jump on this thread. I know
that the contivity VPN gateways/clients that we use can be configured to
not allow split-tunneling, and assumed pix could do the same.
Anyway, on the subject of login scripts, group policy, etc, here is what
I do for my alternate PPP over SSH solution on my linux laptop. The info
may or may not help, but I thought I'd share. Yes, it's pretty basic
when you see it, but it took me awhile to see this rather obvious
solution :)
On VPN Connect:
1) create static route to remote gateway
2) remove default route
3) set new default route to internal server address (VPN endpoint,
virtual address), and let that box do my routing.
On Disconnect:
1) restore default gateway to original
2) remove static route to remote gateway
This will route all traffic through your tunnel, but is not really a
"split tunnel" because you can still hit your local subnet, and other
hosts on that subnet can still reach you. That can be dealt with using
firewall rules of some sort, not sure how easy that would be on a
windows PC.
>
> If it's a big enough issue that you're willing to spend time and
> resources on it, I would recommend looking at the VPN3K concentrators
> (or ASA 5500?). They can do exactly what you're asking for, plus they
> possess a number of other features for managing VPN client users that
> the PIX doesn't have. (Like dynamic VPN profile assignment via
> RADIUS.)
Agreed there. That is why we use Nortel contivities for our clients.
The contivity is very good at providing client VPN with 2 factor auth.
Good luck,
-- Greg
-- Greg Spath <gkspath@armstrong.com> Infrastructure Security Analyst Armstrong World Industries, Inc. _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Charlie Winckless: "RE: [fw-wiz] Pix VPN endpoint and split-tunnel"
- In reply to: Paul Melson: "RE: [fw-wiz] Pix VPN endpoint and split-tunnel"
- Next in thread: Hughes, Chris: "RE: [fw-wiz] Pix VPN endpoint and split-tunnel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
